CN116668122A - Role-based access control policy auto-generation - Google Patents

Role-based access control policy auto-generation Download PDF

Info

Publication number
CN116668122A
CN116668122A CN202310640113.7A CN202310640113A CN116668122A CN 116668122 A CN116668122 A CN 116668122A CN 202310640113 A CN202310640113 A CN 202310640113A CN 116668122 A CN116668122 A CN 116668122A
Authority
CN
China
Prior art keywords
network
perform
functions
access control
control policy
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310640113.7A
Other languages
Chinese (zh)
Inventor
普拉萨德·梅里亚拉
萨杰施·马修
卡纳安·瓦拉德汉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Juniper Networks Inc
Original Assignee
Juniper Networks Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Juniper Networks Inc filed Critical Juniper Networks Inc
Publication of CN116668122A publication Critical patent/CN116668122A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/468Specific access rights for resources, e.g. using capability register
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6209Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present disclosure relates to role-based access control policy auto-generation. In some examples, an access control policy controller in a computer network may receive a request to create an access control policy that allows a role to perform one or more functions in the computer network. The access control policy controller may determine one or more operations to perform on one or more objects in the computer network to perform one or more functions based at least in part on tracking the performance of the one or more functions in the computer network. The access control policy controller may create an access control policy for the character that allows the character to perform one or more operations on one or more objects in the computer network.

Description

Role-based access control policy auto-generation
The present disclosure is a divisional application with application number 202010528849.1, application date 2020, 6/11, and title of "role-based access control policy auto-generation" application, the entire contents of which are incorporated herein by reference.
Technical Field
The present disclosure relates to computer networks and, more particularly, to access control policies for computer networks.
Background
Virtual digital centers are becoming the core foundation of modern Information Technology (IT) infrastructure. In particular, modern data centers have widely utilized virtual environments in which virtual hosts, such as virtual machines or virtual containers, are deployed and run on the underlying computing platform of a physical computing device. Virtualization with large data centers may provide several advantages. One advantage is that virtualization can greatly improve efficiency. Virtualization is easier and more efficient because the underlying physical computing devices (i.e., servers) become more and more powerful with the advent of multi-core microprocessor architectures with a large number of cores per physical CPU. A second advantage is that virtualization provides important control over the infrastructure. Because, for example, in a cloud-based computing environment, physical computing resources become alternative resources, the provisioning and management of computing infrastructure becomes easier. Thus, in addition to the efficiencies and higher Return On Investment (ROI) provided by virtualization, enterprise IT employees also typically prefer virtualized computing clusters based on the management advantages of virtualized computing clusters in the data center.
For example, a data center may physically house all infrastructure equipment, such as networking and storage systems, redundant power supplies, and environmental controls. In a typical data center, clusters of storage systems and application servers are interconnected by a switching fabric provided by one or more layers of physical network switches and routers. More complex data centers provide user support equipment located in various physical hosting facilities for infrastructure that is located throughout the world. In many instances of a data center, the infrastructure may include a combination of physical devices that are linked to and communicate with various virtual resources, such as virtual servers, proxies, and/or policy controllers.
Disclosure of Invention
In general, this disclosure describes techniques that enable a controller of a computer network to generate role-based access control (RBAC) policies for the computer network based on user intent. A user, such as an administrator of a computer network, may specify one or more user intents, where the user intents may be a high-level description of the final function of the computer network. The controller may determine an object in the computer network that is operated to perform one or more user intents and may determine a particular operation to perform on the identified object in order to perform the one or more user intents. Accordingly, the controller may determine an access control policy for the character that allows the character to perform a particular operation on the identified object.
A computer network (e.g., a software-defined network) may be a complex environment that includes hundreds of physical and/or virtual components, such as applications, virtual machines, virtual routers, virtual networks, subnets, domains, tenants, resources, etc., that communicate with each other and with external devices. Thus, it is not feasible for a user (e.g., an administrator) to manually determine an appropriate access control policy for a character that allows the character to perform one or more user intents within a computer network. For example, executing a workflow including one or more user intents may include performing operations to monitor and orchestrate resources across clusters, domains, tenants, virtual networks, and the like. Further, these entities may span multiple virtual routers, nodes (e.g., configuration nodes, control nodes, etc.), virtual machines, and so forth. Thus, in some instances, executing a workflow that includes one or more user intents may include accessing and performing operations on hundreds of different objects across multiple servers of a network. Thus, in some cases, a user may not be able to manually determine the appropriate access control policy for the character.
In some instances, if a user attempts to manually determine an access policy for a character to perform one or more intents, the user may include excessive or insufficient inclusion in manually determining an access policy that grants the character the ability to perform one or more intents in a computer network. For example, if a user determines that performing a user intent includes performing an operation on an object in a computer network, but does not know the specific operation performed on the object in order to perform the user intent, the user may grant the character the ability to perform an operation on an unwanted object in order to perform the user intent in the computer network, which may lead to the following security issues: the user related to the character may be allowed to perform operations other than those required to perform the user's intention. In other instances, to perform a user intent, a user may erroneously not grant the ability for a character to perform one or more operations that may need to be performed, which may result in the character also failing to perform the user intent if the user grants permission.
Accordingly, the techniques described herein may provide one or more technical advantages that result in at least one practical application. For example, by identifying an object that is operated to perform one or more user intents, and by determining a specific operation to perform on the identified object, a controller of a computer network may be able to create an access policy for a character to perform one or more intents that enables the character to perform a specific operation on a specific object in the computer network to perform one or more user intents while preventing the character from performing operations on objects in the computer network that do not require the performance of one or more user intents. Thus, the techniques described herein may improve the security of a computer network by preventing erroneous or unexpected grants of a role authority to perform operations on objects that do not require performance of one or more user intentions when granting the role authority to perform operations on objects to perform one or more intentions.
In one example, a method includes: a request is received to create an access control policy that allows a role to perform one or more functions in a network. The method further comprises the steps of: one or more operations performed on one or more objects in the network to perform one or more functions are determined based at least in part on tracking execution of the one or more functions in the network. The method further comprises the steps of: an access control policy for the character is created that allows the character to perform one or more operations on one or more objects in the network.
In another example, an apparatus includes a memory configured to store one or more access control policies. The network device further includes processing circuitry operably coupled to the memory and configured to: receiving a request to create an access control policy that allows a role to perform one or more functions in the network; determining one or more operations to perform on one or more objects in the network to perform one or more functions based at least in part on tracking the performance of the one or more functions in the network; and creating an access control policy for the character, the access control policy allowing the character to perform one or more operations on one or more objects in the network.
In another example, a computer readable medium includes instructions that, when executed, cause a processing circuit executing an access control policy controller for a network to: receiving a request to create an access control policy that allows a role to perform one or more functions in the network; determining one or more operations to perform on one or more objects in the network to perform one or more functions based at least in part on tracking the performance of the one or more functions in the network; and creating an access control policy for the character, the access control policy allowing the character to perform one or more operations on one or more objects in the network.
The details of one or more examples are set forth in the accompanying drawings and the description below. Other features, objects, and advantages will be apparent from the description and drawings, and from the claims.
Drawings
FIG. 1 is a block diagram illustrating an exemplary computer network system in accordance with the techniques described herein.
Fig. 2 is a block diagram illustrating an exemplary embodiment of the data center of fig. 1 in further detail.
Fig. 3 is a flowchart illustrating exemplary operations of an access control policy controller in accordance with the techniques of this disclosure.
Detailed Description
Fig. 1 is a block diagram illustrating an exemplary computer network system 8 in accordance with the techniques described herein. The computer network system 8 in the example of fig. 1 comprises: data centers 10A-10X (collectively, "data centers 10") are interconnected with each other and with a customer network associated with customer 11 via service provider network 7. FIG. 1 illustrates one exemplary embodiment of a computer network system 8 and a data center 10A hosting one or more cloud-based computing networks, computing domains, or projects (collectively referred to herein as a cloud computing cluster). Cloud-based computing clusters may coexist in a common overall computing environment, such as a single data center, or be distributed across environments, such as across different data centers. For example, the cloud-based computing clusters may be different cloud environments, such as an OpenStack cloud environment, a Kubernetes cloud environment, or various combinations of other computing clusters, domains, networks, and the like. In other cases, other implementations of the computer network system 8 and the data center 10A may be suitable. These embodiments may include a subset of the components included in the example of fig. 1 and/or may include other components not shown in fig. 1. Data centers 10B-10X may include the same or similar features and may be configured to perform the same or similar functions as described herein with respect to data center 10A.
In the example shown in fig. 1, data center 10A provides an operating environment for applications and services for clients 11 coupled to data center 10A through service provider network 7 via gateway 108. Although the functions and operations described in connection with computer network system 8 of fig. 1 may be shown as being distributed across multiple devices in fig. 1, in other examples, the features and techniques attributed to one or more of the devices in fig. 1 may be performed internally by local components of one or more of the devices. Similarly, one or more of these devices may include certain components and may perform various techniques that may be otherwise attributed to one or more other devices in the description herein. Furthermore, certain operations, techniques, features, and/or functions may be described in connection with fig. 1 or otherwise performed by particular components, devices, and/or modules. In other examples, the operations, techniques, features, and/or functions may be performed by other components, devices, or modules. Thus, some operations, techniques, features, and/or functions attributed to one or more components, devices, or modules may also be attributed to other components, devices, and/or modules, even though not specifically described herein in this manner.
The data center 10A hosts (host) infrastructure equipment such as networking and storage systems, redundant power supplies, and environmental control. The service provider network 7 may be coupled to one or more networks managed by other providers and may thus form part of a large-scale public network infrastructure (e.g., the internet). In some examples, data center 10A may represent one of many geographically distributed network data centers. As shown in the example of fig. 1, the data center 10A is a facility that provides network services for the clients 11. Clients 11 may be collective entities such as businesses and governments or individuals. For example, a network data center may host network services for multiple enterprises and end users. Other exemplary services may include data storage, virtual private networks, traffic engineering, file services, data mining, scientific or super computing, and the like. In some examples, the data center 10A is a separate network server, network peer, or other.
In the example of fig. 1, data center 10A includes a set of storage systems and application servers, including servers 12A through 12X (collectively, "servers 12"), interconnected by a high-speed switching fabric 20 provided by one or more layers of physical network switches and routers. The server 12 serves as a physical compute node for the data center. For example, each of the servers 12 may provide an operating environment for executing one or more application workloads 37 (denoted "WL" in fig. 1). As described herein, the terms "application workload 37" or "workload 37" are used interchangeably to refer to application workload 37. The workload 37 may be executed on a virtualized environment (such as a virtual machine, a container, or some type of virtualized instance), or in some cases, may be executed on a bare metal server that directly executes the workload rather than indirectly executing the workload in the virtualized environment. Each of the servers 12 may alternatively be referred to as a host computing device, or more simply as a host. Server 12 may execute one or more of workloads 37 on one or more virtualized instances, such as virtual machines, containers, or other virtual execution environments, for executing one or more services, such as Virtualized Network Functions (VNFs). Some or all of the servers 12 may be Bare Metal Servers (BMS). A BMS may be a physical server dedicated to a particular client or tenant.
The switch fabric 20 may include top of rack (TOR) switches 16A-16N coupled to distribution layers of chassis switches 18A-18M, and the data center 10A may include one or more non-edge switches, routers, hubs, gateways, security devices (such as firewalls, intrusion detection and/or prevention devices), servers, computer terminals, laptops, printers, databases, wireless mobile devices (such as cellular telephones or personal digital assistants), wireless access points, bridges, cable modems, application accelerators, or other network devices. The data center 10A includes servers 12A-12X interconnected by a high-speed switching fabric 20 provided by one or more layers of physical network switches and routers. The switch fabric 20 is provided by a set of interconnected top of rack (TOR) switches 16A-16N (collectively, "TOR switches 16") coupled to an assigned layer of chassis switches 18A-18M (collectively, "chassis switches 18"). Although not shown, the data center 10A may also include, for example, one or more non-edge switches, routers, hubs, gateways, security devices (such as firewalls, intrusion detection and/or prevention devices), servers, computer terminals, laptops, printers, databases, wireless mobile devices (such as cellular telephones or personal digital assistants), wireless access points, bridges, cable modems, application accelerators, or other network devices.
In this example, TOR switch 16 and chassis switch 18 provide redundant (multi-homed) connections for server 12 to gateway 108 and service provider network 7. The chassis switches 18 aggregate traffic flows and provide high-speed connections between TOR switches 16. TOR switches 16 may be network devices that provide layer 2 (MAC) and/or layer 3 (e.g., IP) routing and/or switching functions. The TOR switch 16 and the chassis switch 18 may each include one or more processors and memory and be capable of executing one or more software processes. The chassis switch 18 is coupled to a gateway 108 that can perform layer 3 routing to route network traffic (network traffic) between the data center 10A and the clients 11 through the service provider network 7.
Switching fabric 20 may perform layer 3 routing to route network traffic between data center 10A and clients 11 through service provider network 7. Gateway 108 is used to forward and receive data packets between switching fabric 20 and service provider network 7. The data center 10A includes an overlay network that extends the switching fabric 20 from the physical switches 18, 16 to a software or "virtual" switch. For example, virtual routers 30A-30X located in servers 12A-12X, respectively, may extend switching fabric 20 by communicatively coupling with one or more physical switches located within switching fabric 20. The virtual switch can dynamically create and manage one or more virtual networks that can be used for communication between application instances. In one example, the virtual router 30A-30X executes the virtual network as an overlay network that provides the ability to decouple the virtual address of an application from the physical address (e.g., IP address) of one of the servers 12A-12X on which the application is running. Each virtual network may use its own addressing and security scheme and may be considered orthogonal to the physical network and its addressing scheme. Different techniques may be used to transport data packets within and across virtual networks through physical networks.
In accordance with one or more examples of the present disclosure, software defined network ("SDN") controller 132 provides a logically and in some cases physically centralized controller for facilitating operation of one or more virtual networks within data center 10A. Throughout this disclosure, the terms SDN controller and virtual network controller ("VNC") are used interchangeably. In some instances, SDN controller 132 operates in response to configuration inputs received from orchestration engine 130 via an API (such as northbound API 131), which in turn operates in response to configuration inputs received from administrator 24 operating user interface device 129. Additional information regarding SDN controllers 132 operating in conjunction with other devices or other software-defined networks of data center 10A may be found in international application PCT/US 2013/044378 entitled "PHYSICAL PATH DETERMINATION FOR VIRTUAL NETWORK PACKET FLOWS (physical path determination for virtual network packet flows)" filed on month 6, 2013, and U.S. patent application serial No. 15/476,136 entitled "SESSION-base TRAFFIC STATISTICS LOGGING FOR VIRTUAL ROUTERS (SESSION-BASED traffic statistics diary record for virtual routers)" filed on month 31, 2017, the entire contents of both of which are incorporated herein by reference as if fully set forth herein.
For example, an SDN platform may be used in the data center 10 to control and manage network behavior. In some cases, the SDN platform includes logically centralized and physically distributed SDN controllers (e.g., SDN controller 132) and a distributed forwarding plane in the form of virtual routers that extend the network from physical routers and switches in the data center switching fabric to a virtual overlay network hosted by the virtual servers.
In some instances, SDN controller 132 manages networks and networking services, such as load balancing, security, and allocates resources from server 12 to various applications via a southbound API. That is, the southbound API represents a set of communication protocols used by SDN controller 132 to make the actual state of the network equal to the desired state specified by orchestration engine 130. One of these communication protocols may include, for example, a messaging protocol, such as XMPP. For example, SDN controller 132 implements high-level requests from orchestration engine 130 by configuring physical switches (e.g., TOR switches 16, chassis switches 18, and switch fabric 20), physical routers, physical service nodes (e.g., firewalls and load balancers), and virtual services (e.g., virtual firewalls) in a virtualized environment. SDN controller 132 maintains routing, networking, and configuration information within a state database. SDN controller 132 communicates the appropriate subset of routing information and configuration information from the state database to Virtual Routers (VR) 30A-30X or AGENTs 35A-35X (the "AGENTs" in fig. 1) on each of servers 12A-12X.
As described herein, each of the servers 12 includes a respective forwarding component 39A-39X (hereinafter, "forwarding component 39") that performs data forwarding and traffic statistics collection functions for the workflow (WF 37 of fig. 1) executing on each server 12. In the example of fig. 1, each forwarding component is depicted as including a virtual router ("VR 30A-VR 30X" in fig. 1) that performs packet routing and stacking functions and a VR proxy ("VA 35A-35X" in fig. 1) that communicates with SDN controller 132 and configures virtual router 30 in response. VR proxy 35 operates as a respective policy proxy for the respective server 12 and may alternatively be referred to as a policy proxy. Alternatively, the policy agent may correspond to a subcomponent or function of VR agent 35.
In this example, each virtual router 30A-30X implements at least one routing instance for a corresponding virtual network within the data center 10 and routes data packets to the appropriate virtual machine, container, or other element running within the operating environment provided by the server. The data packets received by the virtual router of server 12A, for example, from the underlying physical network structure, may include an outer header to allow the physical network structure to tunnel the payload or "inner data packet" to the physical network address of the network interface of server 12A for running the virtual router. The outer header may include not only a physical network address of a network interface of the server, but also a virtual network identifier, such as a VxLAN label or a multiprotocol label switching (MPLS) label, that identifies one of the virtual networks and a corresponding routing instance performed by the virtual router. The internal data packet includes an internal header having a destination network address that coincides with a virtual network addressing space for the virtual network identified by the virtual network identifier.
In the example of fig. 1, SDN controller 132 learns routes and other information (e.g., configuration) and distributes it to all computing nodes in data center 10. VR proxy 35 of forwarding component 39, running inside the compute node, typically programs data forwarding elements (virtual router 30) with forwarding information when it receives routing information from SDN controller 132. SDN controller 132 sends routing and configuration information to VR proxy 35 using a messaging protocol (e.g., XMPP protocol semantics) rather than using a heavier-weight protocol (e.g., a routing protocol like BGP). In XMPP, SDN controller 132 and the agents communicate routing and configuration on the same channel. Upon receiving the route from VR proxy 35, SDN controller 132 acts as a messaging protocol client and in this case VR proxy 35 acts as a messaging protocol server. In contrast, when the SDN controller sends a route to VR proxy 35, SDN controller 132 acts as a messaging protocol server to VR proxy 35, VR proxy 35 acts as a messaging protocol client. SDN controller 132 may send security policies to VR proxy 35 for use by virtual router 30.
User interface device 129 may be embodied as any suitable computing system, such as a mobile or non-mobile computing device operated by a user and/or by administrator 24. In accordance with one or more aspects of the present invention, user interface device 129 may represent, for example, a workstation, a laptop or notebook computer, a desktop computer, a tablet computer, or any other computing device that is operable by a user and/or that may present a user interface.
In some instances, orchestration engine 130 manages the functions of data center 10A, such as computing, storage, networking, and application resources. For example, orchestration engine 130 may create a virtual network for the tenant within or across data center 10A. Orchestration engine 130 may append a Workload (WL) to the virtual network of the tenant. Orchestration engine 130 may connect the virtual network of the tenant to an external network, e.g., the internet or VPN. Orchestration engine 130 may implement security policies that span the boundaries of the workload group or tenant network. Orchestration engine 130 may deploy network services (e.g., load balancers) in the virtual network of the tenant.
In some instances, SDN controller 132 manages networks and networking services, such as load balancing, security, and allocates resources from server 12 to various applications via southbound API 133. That is, southbound API 133 represents a set of communication protocols used by SDN controller 132 to make the actual state of the network equal to the desired state specified by orchestration engine 130. For example, SDN controller 132 implements high-level requests from orchestration engine 130 by configuring physical switches (e.g., TOR switches 16, chassis switches 18, and switching fabric 20), physical routers, physical service nodes (e.g., firewalls and load balancers), and virtual services (e.g., virtual firewalls) in VMs. SDN controller 132 maintains routing, networking, and configuration information within a state database.
In general, traffic between any two network devices (e.g., between network devices (not shown) within switch fabric 20 or between server 12 and client 11 or between servers 12) may traverse a physical network that uses many different paths. For example, there may be several equivalent different paths between two network devices. In some cases, packets belonging to network traffic from one network device to another may be distributed among the various possible paths using a routing policy known as multipath routing at each network switching node. For example, the Internet Engineering Task Force (IETF) RFC 2992, "Analysis of an Equal-Cost Multi-Path algorism," describes a routing technique for routing packets along an equivalent plurality of paths. The RFC 2992 technology analyzes a particular multipath routing strategy involving the assignment of flows to bins (bins) by hashing packet header fields, which route strategy sends all packets from a particular traffic flow on a single determined path.
The virtual routers (virtual router 30A-30X, collectively referred to as "virtual router 30" in fig. 1) execute a plurality of routing instances for the corresponding virtual network within the data center 10A and route data packets to the appropriate workload 37 executing within the operating environment provided by the server 12. Each of the servers 12 may include a virtual router. The data packets received by the virtual router 30A of the server 12A, for example, from the underlying physical network structure may include an outer header to allow the physical network structure to tunnel the payload or "internal data packet" to the physical network address for the network interface of the server 12A. The outer header may include not only a physical network address of a network interface of the server, but also a virtual network identifier, such as a VxLAN label or a multiprotocol label switching (MPLS) label, that identifies one of the virtual networks and a corresponding routing instance performed by the virtual router. The internal data packet includes an internal header having a destination network address that coincides with a virtual network addressing space for the virtual network identified by the virtual network identifier.
The data center 10A may have thousands of chassis switches 18 and TOR switches 16, and hundreds of servers 12. Further, the servers 12 in the data center 10A may include many different objects, such as virtual networks, domains, subnets, clusters, tenants, applications, resources, items, services (e.g., internet protocol address management), and so forth. The example shown in fig. 1 represents a fully configured data center 10A. The other data centers 10B-10X may be similarly configured and may include similar numbers of chassis switches, TOR switches, servers, and objects. Other configuration objects configurable in the data center 10A devices may include: access control lists, alarms, IP names, IP pools, analysis nodes, API access lists, BGP as-a-services (BGP-as-services), BGP routers, configuration nodes, configuration roots, customer attachments, database nodes, discovery services, discovery Service Allocation (DSA) rules, floating IP pools, forwarding classes, quality of service parameters, global systems, global virtual routers, IP instances, interface routing tables, load balancers, logical interfaces, logical routers, namespaces, IPAMs, network policies, physical phases, physical routers, ports, items, provider attachments, aggregated routes, routing tables, routing targets, routing instances, routing policies, security groups, service applications or collections thereof, service instances, domain Name Service (DNS) servers and other DNS parameters, virtual IP addresses, virtual machines, and interfaces thereof, and virtual routers.
Role-based access control (RBAC) may be a role-based technique for restricting and monitoring user access within network system 8. Network system 8 may be configured (e.g., via access control policy controller 23) with one or more roles, each of which may be assigned to one or more users. The roles assigned to the user may determine the services provided to the user, the applications that the user is allowed to access within network system 8, the administrative privileges that the user has within network system 8, or any combination thereof. Each role may be associated with an access control policy that specifies the rights of the associated role to perform certain operations within network system 8 and/or to access certain objects. For example, an access control policy for a character may specify one or more objects within network system 8 on which the character is permitted to perform one or more operations, and may also specify, for each of the one or more objects specified in the policy, one or more operations that the character is permitted to perform on that object.
In some instances, the access control policy for a character may specify, for one or more objects in network system 8, one or more of create, read, update, and delete (CRUD) operations that the character is permitted to perform on the object. In some instances, the access control policy may act as a whitelist in that the access control policy may specify objects and/or operations that a role can access and/or perform, but may avoid objects and/or operations that the specified role cannot access. For example, if the access control policy does not specify a particular object within the network system 8, the role associated with the access control policy may not be able to perform any operations on that object. In another example, if the access control policy specifies one or more operations that the role can perform on an object within the network system 8, but does not specify a particular operation that the role can perform on the object, the role associated with the access control policy may only be able to perform one or more specified operations on the object, and may not be able to perform the particular operation on the object.
In some instances, administrator 24 may manually create and/or modify access control policies for a character in order to specify objects within network system 8 that allow access by the character and to allow operations that the character performs on those specified objects. Administrator 24 may interact with a user interface (such as a graphical user interface) presented by user interface device 129, such as by providing user input at user interface device 129, to specify permissions for roles to access objects and perform operations within network system 8. For example, administrator 24 may provide user input to select one or more objects in network system 8 for which a role is permitted to perform one or more operations, and may provide input to specify one or more operations, such as one or more of CRUD operations, for each of the objects selected by administrator 24.
While manually creating access control policies for a generic high-level role, such as for a cloud administrator or tenant administrator, may be relatively easy and straightforward, because administrator 24 may be able to simply specify that the role for the cloud administrator is allowed to perform all CRUD operations on, for example, all objects or specific tenants (in the case of tenant administrators) in network system 8 (in the case of roles for cloud administrators), it may be difficult for administrator 24 to manually create finer access control policies at the individual object levels in network system 8.
For example, some of the functions performed by network system 8 may include performing operations on tens, hundreds, or thousands of different objects within network system 8. Thus, administrator 24 may have to manually select access control policies for tens, hundreds, or thousands of objects within network system 8 in order to create access control policies for roles that perform these functions. Further, because the user of network system 8 may designate the functions to be performed by network system 8 as one or more user intents that are high-level descriptions of the final functions of network system 8, the user of network system 8 may not be able to see all operations that network system 8 performs in order to perform these one or more user intents. Thus, it may be impractical for a user of network system 8 to manually create access control policies for a character that allow the character to perform some functions within network system 8 by manually setting a permission operation across tens, hundreds, or thousands of objects of network system 8.
According to aspects of the present disclosure, a component of the network system 8 (such as the access control policy controller 23) may create an access control policy that allows a role to access objects and perform operations on objects in the network system 8. The access control policy controller 23 may be able to create such an access control policy for the role: that is, there is no need for the administrator 24 to have to specify the exact objects that the character is allowed to access and the exact operations that the character is allowed to perform on each of the objects. Instead, a user with elevated privileges (such as an administrator 24 of a particular domain, cluster, tenant, etc. of the network system 8 or within the network system 8) may send a request to the access control policy controller 23 to create an access control policy that allows the role to perform one or more functions in the network system 8.
In some examples, access control policy controller 23 may be an analysis engine of network system 8, may determine one or more operations to be performed on one or more objects in network system 8 in order to perform one or more functions, and may generate an access control policy for a role that allows the associated role to perform one or more operations on the one or more objects. Thus, the access control policy controller 23 may generate an access control policy for a role that specifies one or more operations that the role is permitted to perform on one or more objects in the network system 8.
In the example of fig. 1, administrator 24 may request that an access control policy be created by data center 10A for a role that allows the role to perform one or more functions in network system 8 by providing an indication of the one or more functions that the role is allowed to perform. For example, administrator 24 may provide user input at user interface device 129 to specify one or more functions that the persona is allowed to perform.
In some examples, administrator 24 may designate one or more functions as one or more user intents via user interface device 129. The user intent may be a high-level description or abstraction of the configuration state of data center 10A or the final function of data center 10A that does not specify low-level details of how the configuration state of data center 10A is implemented and/or how particular final functions are implemented in network system 8 (e.g., particular objects in network system 8 on which operations are performed and particular CRUD operation(s) to be performed on the objects). For example, administrator 24 may specify user intent describing the creation of policies between two or more networks (e.g., between two or more data centers 10, between service provider network 7 and another network within network system 8, between two other networks, etc.). To enforce a user intent to create policies between two or more networks, network system 8 (e.g., data center 10A and/or SDN controller 132) may create two or more networks, create one or more policies for the two or more networks, and append the policies to the two or more networks. For example, data center 10A and/or SDN controller 132 may create and/or perform operations on a plurality of different objects within network system 8, such as one or more CRUD operations on each of route instances, access control lists, access control entries, virtual route and forwarding instances, and so forth, to perform user intent specified by administrator 24.
In another example, if the user intent describes creating a tunnel between two points of presence within the data center 10A, the data center 10A may perform the user intent by determining implementation details of the final function (e.g., determining whether a single tunnel or multiple tunnels are used between two points of presence, determining which particular hardware tables or software features are used, etc.), and implementing the final function (e.g., the tunnel described by the user intent) according to the determined implementation details of the data center 10A. Other instances of user intent that administrator 24 may specify may include higher-level use cases (use cases) that may cause more object type manipulations (e.g., user intent to perform a service chain), which data center 10A, SDN controller 132, etc. may perform by performing operations on objects such as service templates, service instances, networks, network policies, access control lists, access control entries, routing instances, etc.
In some instances, administrator 24 may specify one or more user intents by specifying one or more workflows via user interface device 129, where the workflows may be created using one or more intents and/or one or more objects. The workflow and intent may be associated with a workflow identifier or user intent identifier, respectively, such that the workflow and/or user intent specified by administrator 24 may be sent to an API server, such as SDN controller 132, such that SDN controller 132 may be able to associate the workflow identifier or user intent identifier with the object being created and/or manipulated to execute the workflow or user intent.
In some instances, administrator 24 may also specify roles associated with access control policies. By specifying a role associated with an access control policy, an access control policy generated based at least in part on one or more functions specified by administrator 24 may define operations in data center 10A that a user assigned to the role is permitted to perform.
In some instances, administrator 24 may also specify a time period associated with one or more functions specified by administrator 24 to indicate to data center 10A time period during which one or more functions are to be performed by data center 10A. In some examples, administrator 24 may specify a time period by specifying a start time and an end time to indicate that one or more functions are to be performed by data center 10A between the specified start time and end time.
In some instances, administrator 24 may also specify a scope of access control policies to be created. The scope may indicate the portion of the network system 8 to which the access control policy applies. In some instances, administrator 24 may specify that access control policies be applied to a global scope of the entire data center 10A. In some instances, administrator 24 may also specify a tenant associated with the access control policy. Where data center 10A includes a multi-tenant system, administrator 24 may designate a tenant from the multi-tenant system for which data center 10A may create access control policies to control one or more operations that the role is permitted to perform on one or more objects in the tenant based on one or more functions specified by administrator 24. In some other examples, data center 10A may specify item level ranges in order to apply access control policies to particular items within data center 10A.
In some instances, user interface device 129 may provide a user interface, such as a graphical user interface, that includes various user interface controls, such as input fields, drop-down fields, etc., that a user, such as administrator 24, may interact with via user input to provide the above-described information in order to send a request to access control policy controller 23 to create an access control policy that allows the role to perform one or more functions in network system 8. For example, administrator 24 may provide input via user interface device 129 to specify a role, tenant, one or more functions to be performed by data center 10A, start time, end time, and any other suitable information.
In some instances, when administrator 24 provides user input to provide the above information, user interface device 129 may provide a confirmation user interface that allows administrator 24 to confirm that the entered information is correct and allow administrator 24 to modify the request to create the access policy before being sent to access control policy controller 23. In response to receiving the acknowledgement from administrator 24, user interface device 129 may send a request to create access control policy controller 23.
In response to receiving an indication of one or more functions performed by data center 10A, access control policy controller 23 may forward the one or more functions to SDN controller 132.SDN controller 132 may determine one or more operations to perform on one or more objects in data center 10A to perform one or more functions based at least in part on tracking the performance of the one or more functions in data center 10A. In some instances, SDN controller 132 may instruct a component of data center 10A (such as server 12) to perform a function specified by administrator 24 in order to determine one or more operations to perform on one or more objects in data center 10A to perform the one or more functions.
In some examples, SDN controller 132 and/or orchestration engine 130 may receive one or more functions specified by administrator 24, e.g., from access control policy controller 23, and in response SDN controller 132 may determine one or more API calls for performing the one or more functions. For example, the API calls may include one or more representational state transfer (REST) API calls or any other suitable API call that may be performed by an API server of SDN controller 132 and/or other components of data center 10A.
To perform API calls, SDN controller 132 may be used to control components of data center 10A, such as gateway 108, chassis switch 18, TOR switch 16, servers 12, workload 37, virtual router 30, agent 35, forwarding component 39, virtual machines, containers, hypervisors, policies, applications, services, etc., to perform the functions of the API call. For example, in response to receiving a user intent for data center 10A to communicate with a network device of a remote data center (e.g., data center 10B), SDN controller 132 may formulate and execute one or more API calls that cause gateway 108 to implement one or more communication protocols (e.g., multiprotocol border gateway protocol (MP-BGP) or internet protocol VPN (IP VPN)) for communication of routing and reachability information of a tenant network of data center 10A with the network device of the remote data center. In another example, SDN controller 132 may execute an API call that causes server 12A to tunnel traffic to gateway device 108B to communicate with a tenant network of a remote data center (e.g., data center 10B).
The access control policy controller 23 may determine one or more operations to perform on one or more objects in the network system 8 to perform one or more functions based at least in part on tracking the performance of the one or more functions in the network system 8. In some instances, SDN controller 132 may generate a record or log associated with one or more functions specified by administrator 24, which access control policy controller 23 may use to determine one or more operations to perform on one or more objects in network system 8. For example, for each function specified by administrator 24, SDN controller 132 may record or log (log) the function specified by administrator 24, each object on which to perform at least one operation to perform the function, and each operation performed on the object to perform the function.
In some instances, SDN controller 132 may determine, for each of one or more functions specified by administrator 24, each object on which to perform at least one operation to perform the function and each operation performed on the object to perform the function. For example, SDN controller 132 may formulate one or more instructions (e.g., API calls) to send to gateway 108, chassis switch 18, TOR switch 16, servers 12, workload 37, virtual router 30, agent 35, forwarding component 39, virtual machine, container, hypervisor, policy, application, service, etc., based on the functions specified by administrator 24. SDN controller 132 may determine one or more operations to perform on one or more objects in data center 10A based on each of the one or more instructions it formulates and sends, and SDN controller 132 may record or enter the one or more operations performed on one or more objects in data center 10A. For example, if SDN controller 132 formulates and sends an instruction to a virtual router to update a routing table, SDN controller 132 may determine that the instruction instructs the virtual router to update (i.e., write) the flow table. Thus, in a record or log related to one or more functions specified by administrator 24, SDN controller 132 may include an indication of a flow table object and an associated update operation.
In some examples, various components of data center 10A (e.g., gateway 108, chassis switch 18, TOR switch 16, servers 12, workload 37, virtual router 30, agents 35, forwarding components 39, virtual machines, applications, services, etc.) may send to SDN controller 132 indications of one or more operations performed by these components on one or more objects of data center 10A. For example, SDN controller 132 may formulate one or more instructions to send to one or more components of data center 10A based on the functions specified by administrator 24. One or more components of data center 10A may receive one or more instructions from SDN controller 132 and may perform one or more operations on one or more objects based on the one or more instructions. Each of the components executing at least one of the one or more instructions on at least one of the one or more objects may send an indication of one or more operations it performs on the one or more objects to SDN controller 132.SDN controller 132 may receive an indication of one or more operations performed by one or more components of data center 10A on one or more objects and may record or enter the one or more operations performed on one or more objects in data center 10A.
In some examples, one or more components of server 12 may track operations performed by server 12 on objects to perform one or more instructions received from SDN controller 132 and may send an indication of operations performed by server 12 on objects to SDN controller 132. For example, one or more of agents 35, virtual router 30, workload 37, etc. may track operations performed on objects in server 12 (such as one or more of agents 35, virtual router 30, workload 37), as well as objects within workload 37 or objects running within the workload (such as applications, services, files, etc.), and may stream events 52 indicating the operations performed on the objects in server 12 to SDN controller 132. For example, in response to server 12 performing an operation on an object, server 12 may create an event indicating the object and the CRUD operation performed on the object (i.e., create, read, update, or delete operation), and may send the event to SDN controller 132. The collector 38 of the SDN controller 132 may receive a stream of events from the server 12, wherein each event indicates an object and an operation performed on the object, and may log the received event in one or more logs, thereby tracking execution of one or more functions in the data center 10A. In addition, SDN controller 132 may generate a timestamp for each of the events it receives and may store the timestamp's association with the event in one or more logs.
In some examples, because the server 12 may stream many different kinds of events to the SDN controller 132, the SDN controller 132 may limit events sent from the server 12 to events related to determining access control policies (e.g., events indicating operations performed on objects). For example, each object in data center 10A may include or be associated with an indication of whether data center 10A is currently in the process of creating an access control policy. Responsive to determining that data center 10A is currently in the process of creating an access policy based at least in part on an indication of whether data center 10A is currently in the process of creating an access policy, server 12 may stream only events relevant to determining an access control policy.
In some examples, the indication may be in the form of a bit with which each object is associated. SDN controller 132 may be operable to turn on bits associated with objects in data center 10A to indicate that data center 10A is currently in the process of creating an access control policy. In response to determining that data center 10A is currently in the process of creating an access policy based at least in part on the setting of the bit associated with the object in data center 10A, server 12 may stream only events relevant to determining the access control policy.
The access control policy controller 23 may generate an access control policy for causing the character to perform one or more functions in the network system 8 specified by the administrator 24 based at least in part on one or more operations performed on one or more objects in the network system 8. In instances where SDN controller 132 tracks execution of one or more functions specified by administrator 24 by generating records or logs associated with the one or more functions specified by administrator 24, access control policy controller 23 may determine the access control policy based at least in part on one or more operations associated with one or more objects recorded in the records or logs generated by SDN controller 132.
In some instances, access control policy controller 23 may determine the relevant one or more logs or records associated with the one or more functions specified by administrator 24 based at least in part on the time stamps associated with each of the events recorded in the one or more logs. When administrator 24 specifies one or more functions for which access control policies are to be created, administrator 24 may specify a start time and an end time associated with the one or more functions. The data center 10A may perform one or more functions within a time period between a start time and an end time associated with the one or more functions and may timestamp or otherwise associate a timestamp with each of the events generated during the performance of the one or more functions.
An exemplary set of time-stamped events in one or more logs may be as follows:
time="2019-02-21T14:36:21-08:00"level=info msg="Object access application-policy-set 1"
time="2019-02-21T14:36:21-08:00"level=info msg="Object access project 3"
time="2019-02-21T14:36:21-08:00"level=info msg="Object access virtual-network 1"
time="2019-02-21T14:36:21-08:00"level=info msg="Object access routing-instance 1"
time="2019-02-21T14:36:21-08:00"level=info msg="Object access virtual-network 3"
time="2019-02-21T14:36:21-08:00"level=info msg="Object access virtual-network 2"
time="2019-02-21T14:36:21-08:00"level=info msg="Object access virtual-network 3"
time="2019-02-21T14:36:21-08:00"level=info msg="Object access virtual-network 2"
time="2019-02-21T14:36:21-08:00"level=info msg="Object access virtual-network 4"
time="2019-02-21T14:36:21-08:00"level=info msg="Object access routing-instance 4"
as can be seen in the examples, each of the events may be time stamped or otherwise associated with a time stamp (e.g., "2019-02-21t 14:36:21-0:80"). The time stamp associated with the event may include a date (e.g., year, month, and day) and/or time. Further, each of the events may include an indication of an object (e.g., "virtual-network") on which one or more operations are performed. In some instances, the log may also specify particular operations performed on the object, such as one or more of the CRUD operations performed on the particular object. In the above example, the number at the end of each row may represent one of four CRUD operations performed on the object. For example, "Object access virtual-network 1 (object access virtual network 1)" may indicate a creation operation performed on the object "virtual-network", and "Object access virtual-network 3 (object access virtual network 3)" may indicate an "update" operation performed on the object "virtual-network". In this way, one or more logs may store, for each event, an indication of an object, an indication of an operation performed on the object, and an indication of a timestamp associated with the performance of the operation on the object.
The access control policy controller 23 may determine, based at least in part on one or more logs or records associated with one or more functions specified by the administrator 24, that the access control policy allows the associated role to perform one or more operations on one or more objects. The access control policy controller 23 may include in the access control policy an indication of each of the one or more objects specified in the one or more logs or records associated with the one or more functions specified by the administrator 24. The access control policy controller 23 may determine, for each of one or more objects specified in one or more logs or records associated with one or more functions specified by the administrator 24, one or more operations to be performed on the object, and may include, in the access control policy for each of the one or more objects, an indication of the one or more operations that may be performed on the object. Thus, for example, if one or more logs or records indicate that create and delete operations have been performed on a particular object, the access control policy controller 23 may include in the access control policy an indication of the particular object that is associated with an indication that create and delete operations may be performed on the object.
In some examples, the access control policy controller 23 may create the access control policy file as a JavaScript object notation (JSON) document. For example, the access control policy controller 23 may create the access control policy file, for example, by using the following exemplary commands: python rbac.py apisrv.log template.json development. In this example, the access control policy controller 23 may create an access control policy file "template. Json" for the "developer" role based on the log file "apisrv. Log", which specifies one or more operations to be performed on one or more objects. The partial output of an exemplary access control policy file is as follows:
/>
as can be seen from the above examples, the access control policy file may specify one or more objects to which the access control policies of the network system 8 apply. For each specified object, the access control policy file may specify one or more of the CRUD operations that the access control policy allows the role to perform on that object. Further, for each specified object and one or more CRUD operations that may be performed on that object, the access control policy file may specify that the role be permitted to perform the specified one or more CRUD operations on the specified object. For example, for a "domain" object in network system 8, the access control policy allows the role "developer" to perform create, read, and delete ("CRD") operations on the "domain" object. For a "track cluster" object in the network system 8, the access control policy allows the role "developer" to perform create, read, and delete ("CRD") operations on the "track cluster" object. For a "service instance" object in network system 8, the access control policy allows the role "developer" to perform create and delete ("CD") operations on the "service instance" object.
In some examples, access control policy controller 23 may output the access control policies specified by the access control policy file via user interface device 129 for viewing by a user, such as administrator 24, so that the user may confirm that the access control policies are correct and/or so that the user may alter the access control policy file by providing user input via user interface device 129. The access control policy controller 23 may generate an access control policy for the role based on the access control policy file upon receiving an acknowledgement of the access control policy from the user via the user interface device 129.
In some examples, access control policy controller 23 may create an access control policy for a role from the generated access control policy file, for example, by executing the following exemplary commands: curl-vX POST http:// 10.0.1:8082/api-access-list-d@api_access_list. Json-header "Content-Type: application/json". Once the access control policy controller 23 creates an access control policy for a role, the access control policy controller 23 may store the access policy so that the access policy may be applied to a user assigned a role associated with the access control policy to restrict access of the user within the network system 8. For example, administrator 24 may interact with user interface device 129 to assign a role to a user, and in response, access control policy controller 23 may apply an access control policy associated with the role to the user to restrict access of the user within network system 8 in order to perform one or more operations on one or more objects specified by the access control policy associated with the role.
Fig. 2 is a block diagram illustrating an exemplary embodiment of the data center 10A of fig. 1 in further detail. In the example of fig. 2, the data center 10A includes interconnections that extend the switching fabric 14 from the physical switches 16, 18 to software or "virtual" routers 30A-30X (again, collectively, "virtual routers 30"). Virtual router 30 dynamically creates and manages one or more virtual networks 34 that are available for communication between application instances. In one example, virtual router 30 executes the virtual network as an overlay network, which provides the ability to decouple the virtual address of an application from the physical address (e.g., IP address) of one of servers 12A-12X ("server 12") on which the application is running. Each virtual network may use its own addressing and security scheme and may be considered orthogonal to the physical network and its addressing scheme.
Each virtual router 30 may run within a hypervisor, host operating system, or other component of each of the servers 12. Each of the servers 12 may represent an x86 or other general purpose or special purpose server capable of executing a workload 37. In the example of fig. 2, virtual router 30A runs in a hypervisor 31 (also commonly referred to as a Virtual Machine Manager (VMM)) that provides a virtualized platform that allows multiple operating systems to run simultaneously on one of servers 12. In the example of fig. 2, virtual router 30A manages virtual networks 34, each of which provides a network environment for executing one or more Workloads (WLs) 37 on a virtualized platform provided by hypervisor 31. Each of the workloads 37 is associated with one of the virtual networks VN0-VN1 and may represent a tenant workload running a client application (e.g. Web server, database server, enterprise application) or hosting a virtualization service for creating a service chain. In some cases, any one or more of servers 12 or another computing device may directly host the client application, i.e., not as a virtual machine. In some cases, some of the workloads 37 may represent containers, i.e., another form of virtualized execution environment. That is, both the virtual machine and the container are instances of a virtualized execution environment for executing a workload.
In general, each of the workloads 37 may be any type of software application and may run on a virtualized environment (e.g., a virtual machine or container) that is assigned a virtual address for use within a corresponding virtual network 34, where each of the virtual networks may be a different virtual subnet provided by the virtual router 30A. For example, the virtualized environment may be assigned its own virtual layer three (L3) IP address for sending and receiving communications, for example, but may not know the IP address of the physical server 12A on which the virtualized environment is executing. In this way, a "virtual address" is an address that is different from the logical address for the underlying physical computer system (e.g., server 12A in the example of FIG. 1 or FIG. 2).
In one embodiment, each of servers 12 includes a corresponding one of Virtual Network (VN) agents 35A-35X (collectively, "VN agents 35") that control the superposition of virtual networks 34 and coordinate the routing of data packets within servers 12. Typically, each VN agent 35 communicates with SDN controller 132, which generates commands to control the routing of data packets through data center 10A. VN agent 35 may act as a proxy for control plane messages between workload 37 and SDN controller 132. For example, WL 37 may request that a message be sent via VN agent 35A using its virtual address, and VN agent 35A may in turn send the message and request a virtual address for workload 37 initiating the first message, receive a response to the message. In some cases, workload 37 may invoke a program or function call presented by an application programming interface of VN agent 35A, and VN agent 35A may also handle encapsulation of messages, including addressing.
In one example, network packets (e.g., layer three (L3) IP packets or layer two (L2) ethernet packets) generated or consumed by an instance of an application program executing by a workload 37 within a virtual network domain may be encapsulated in another packet (e.g., another IP or ethernet packet) that is transmitted over a physical network. The packets transmitted in the virtual network may be referred to herein as "inner packets" and the physical network packets may be referred to herein as "outer packets" or "tunnel packets. Encapsulation and/or decapsulation of the virtual network data packets within the physical network data packets may be performed within virtual router 30, such as within a hypervisor or host operating system running on each of servers 12. As another example, the encapsulation and decapsulation functions may be performed at the first-hop TOR switch 16, which is a hop removed from the application instance that originated the packet, at the edge of the switch fabric 14. This function is referred to herein as tunneling and may be used within the data center 10A to create one or more overlay networks. In addition to ipineip, other exemplary tunneling protocols that may be used include IP over GRE, vxLAN, MPLS over GRE, MPLS over UDP, and the like.
As described above, SDN controller 132 provides a logically centralized controller for facilitating operation of one or more virtual networks within data center 10A. SDN controller 132 may, for example, maintain a routing information base, e.g., one or more routing tables storing routing information for the physical network and one or more overlay networks of data center 10A. Similarly, switches 16, 18 and virtual router 30 maintain routing information, such as one or more routing and/or forwarding tables. In one exemplary embodiment, virtual router 30A of hypervisor 31 implements Network Forwarding Tables (NFTs) 32 for each of virtual networks 34. In general, each NFT 32 stores forwarding information for the corresponding virtual network 34 and identifies where to forward the data packet and whether to encapsulate the data packet in a tunneling protocol, such as a tunneling header having one or more headers that may include different layers for the virtual network protocol stack.
According to aspects of the present disclosure, the access control policy controller 23 is configured to receive a request to create an access control policy that allows a character to perform one or more functions in the data center 10A, and in response, generate an access control policy that allows the character to perform one or more functions in the data center 10A. In some examples, SDN controller 132 includes access control policy controller 23, which may generate access control policies that allow roles to perform one or more functions in data center 10A. In general, processing circuitry of a network device, such as one or more servers 12, may run the access control policy controller 23 to perform the techniques of the access control policy controller 23 described throughout this disclosure, and the access control policy controller 23 may store access control policies that it generates to a memory that is operatively coupled to the processing circuitry on which the access control policy controller 23 is run. In some instances, SDN controller 132 and access control policy controller 23 may run on the same computing device (e.g., one of servers 12). In some instances, SDN controller 132 and access control policy controller 23 may run on different computing devices (e.g., different servers in server 12 or different servers in different data centers 10 in network system 8).
SDN controller 132 may receive a request to perform one or more functions and, in response, may formulate one or more instructions for server 12 to perform the one or more functions. SDN controller 132 may send formulated one or more instructions to server 12 and server 12 may execute the one or more instructions. For example, SDN controller 132 may formulate and execute one or more API calls that cause a data center to perform one or more functions.
SDN controller 132 is further configured to determine one or more operations to perform on one or more objects in data center 10A to perform one or more functions based at least in part on tracking the performance of the one or more functions in data center 10A. As described above, SDN controller 132 may formulate one or more instructions for server 12 to perform one or more functions and may send the formulated one or more instructions to server 12 and server 12 may execute the one or more instructions. When the server 12 executes one or more instructions to perform one or more functions specified in the request to create an access control policy for a role, the access control policy controller 23 is operable to track operations performed by the server 12 on objects in the server 12.
In some examples, one or more components of server 12 may track operations performed by server 12 on objects to perform one or more instructions received from SDN controller 132, and may send an indication of operations performed by server 12 on objects to SDN controller 132. For example, one or more of agent 35, virtual router 30, hypervisor 31, NFT 32, virtual network 34, workload 37, etc. may track operations performed on objects in server 12 (such as virtual router 30, hypervisor 31, NFT 32, virtual network 34, workload 37) and objects within workload 37 (such as applications, services, files, etc.), and may stream events 52 indicating operations performed on objects in server 12 to collector 38 of SDN controller 132. For example, in response to server 12 performing an operation on an object, server 12 may create an event indicating the object and the CRUD operation performed on the object (i.e., create, read, update, or delete operation), and may send the event to SDN controller 132. The collector 38 of the SDN controller 132 may receive a stream of events 52 from the server 12, wherein each event indicates an object and an operation performed on the object, and may be operative to record the received events 52 in one or more logs.
In some instances, SDN controller 132 may maintain one or more logs of events 52 streamed from server 12 during execution of one or more functions specified by a request to create an access control policy for a role. For example, for each of the events 52 received by the collector 38 from the server 12, where each event specifies an object and an operation performed on the object (e.g., one of the CRUD operations), the SDN controller 132 may create a log entry for the event specifying the operation specified by the event, the object specified by the event, and a timestamp associated with the event. In some instances, if an event indicates an operation performed on an object during execution of a user intent specified by a request to create an access control policy, SDN controller 132 may also include an indication of the user intent in the log, such as a user intent identifier associated with the operation and the object.
The access control policy controller 23 is configured to create an access control policy for the roles that allows the roles to perform one or more operations on one or more objects in the data center 10A. The access control policy controller 23 may create an access control policy based on logs maintained by the SDN controller 132. In particular, the access control policy controller 23 may create an access control policy for a role that allows the role to perform one or more operations on one or more objects indicated by one or more logs as described above. For example, the access control policy controller 23 may create an access policy that indicates each object that has been accessed and, for each object, indicates one or more operations to be performed on that object.
In some instances, the access control policy controller 23 is operable to determine a log and/or representation of an object associated with a request to create an access control policy based at least in part on a timestamp associated with and/or an event recorded by one or more logs. As described above, when SDN controller 132 receives events from server 12 in the course of executing one or more functions specified by a request to create an access policy, SDN controller 132 may associate a timestamp with the event and may store the association of the timestamp with the event in one or more logs.
The request to create the access policy may specify a time period, for example, by specifying a start time and an end time, and the access control policy controller 23 may determine the one or more logs and/or events in the one or more logs associated with the request to create the access policy based at least in part on the time period specified by the request to create the access policy and the timestamp and/or events in the one or more logs. For example, based on a timestamp associated with the one or more logs and/or an event in the one or more logs that falls within a time period specified by the request to create the access policy, the access control policy controller 23 may be operative to determine the one or more logs and/or one or more events in the one or more logs associated with the request to create the access policy based on the associated timestamp. Thus, the access control policy controller 23 may generate the requested access policy based at least in part on the one or more logs and/or events associated with the request in the one or more logs.
Fig. 3 is a flowchart illustrating exemplary operations of an access control policy controller in accordance with the techniques of this disclosure. For convenience, fig. 3 is described with respect to fig. 1 and 2. In the example of fig. 3, access control policy controller 23 may receive a request to create an access control policy that allows a role to perform one or more functions in network system 8 (302). For example, the access control policy controller 23 may receive an indication of one or more user intents that indicate that the persona is permitted to perform one or more functions in the network system 8.
The access control policy controller 23 may determine one or more operations to perform on one or more objects in the network system 8 to perform one or more functions based at least in part on tracking the performance of the one or more functions in the network system 8 (304). In some instances, to determine one or more operations to perform on one or more objects in the network to perform one or more functions based at least in part on tracking the performance of one or more functions in the network, access control policy controller 23 may determine one or more operations to perform on one or more objects in network system 8 based at least on one or more logs generated as a result of performing one or more functions in network system 8. In some examples, the one or more logs include an indication of a plurality of events 52 streamed from the one or more servers 12 of the network system 8, and each of the plurality of events 52 indicates an operation performed on an object in the one or more servers 12 of the network system 8.
In some examples, each of the plurality of events 52 is associated with a timestamp in one or more logs. In some instances, to receive a request to create an access control policy that allows a role to perform one or more functions in network system 8, access control policy controller 23 may receive an indication of a time period associated with the performance of one or more functions in network system 8. In some instances, to determine one or more operations to perform on one or more objects in network system 8 based at least on one or more logs generated as a result of performing one or more functions in network system 8, access control policy controller 23 may determine one or more events based at least in part on one or more timestamps associated with the one or more events, the one or more timestamps indicating that the one or more events were generated as a result of performing one or more functions in the network during the time period.
The access control policy controller 23 may determine to create an access control policy for the role that allows the role to perform one or more operations on one or more objects in the network system 8 (306). In some examples, each of the one or more operations performed on the one or more objects includes one or more of create, read, update, and delete (CRUD) operations, and to generate an access control policy for the role that allows the role to perform the one or more operations on the one or more objects in the network system 8, the access control policy controller 23 may generate an access control policy for the role that includes an indication of each of the one or more objects and, for each respective one of the one or more objects, includes an indication of one or more of the CRUD operations that allow the role to perform for the respective object.
The techniques described in this disclosure may be implemented, at least in part, in hardware, software, firmware, or any combination thereof. For example, aspects of the described techniques may be implemented within one or more processors, including one or more microprocessors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs), or any other equivalent integrated or discrete logic circuitry, as well as any combinations of such components. The term "processor" or "processing circuit" may generally refer to any of the foregoing logic circuitry, alone or in combination with other logic circuitry, or any other equivalent circuitry. A control unit comprising hardware may also perform one or more techniques of this disclosure.
Such hardware, software, and firmware may be implemented within the same device or within separate devices to support the various operations and functions described in this disclosure. In addition, any of the described units, modules, or components may be implemented together or separately as discrete logic devices rather than interoperable logic devices. The description of different features as modules or units is intended to emphasize different functional aspects and does not necessarily imply that such modules or units must be implemented by separate hardware or software components. Rather, functions associated with one or more modules or units may be performed by separate hardware or software components or integrated within common or separate hardware or software components.
The techniques described in this disclosure may also be embodied or encoded in a computer-readable medium, such as a computer-readable storage medium comprising instructions. Instructions embedded or encoded in a computer-readable medium may cause a programmable processor or other processor to perform the method, for example, when the instructions are executed. The computer-readable storage medium may include Random Access Memory (RAM), read-only memory (ROM), programmable read-only memory (PROM), erasable programmable read-only memory (EPROM), electrically erasable programmable read-only memory (EEPROM), flash memory, a hard disk, a CD-ROM, a floppy disk, a magnetic tape cartridge, magnetic media, optical media, or other computer-readable media.

Claims (20)

1. A method, comprising:
receiving, with a controller, a request to create an access control policy that allows a character to perform one or more functions in a network;
responsive to receiving the request, determining, with the controller, one or more particular operations to perform on one or more particular recognition objects in the network based at least in part on tracking execution of the one or more functions in the network, the one or more particular operations to perform on the one or more particular recognition objects to perform the one or more functions; and
Creating, with the controller, the access control policy that allows the role to perform the one or more particular operations on the one or more particular identified objects in the network.
2. The method of claim 1, wherein determining the one or more operations performed on the one or more particular recognition objects in the network to perform the one or more particular functions based at least in part on tracking the performance of the one or more functions in the network comprises:
the one or more specific operations performed on the one or more specific recognition objects in the network are determined based at least on one or more logs generated as a result of performing the one or more functions in the network.
3. The method of claim 2, wherein,
the one or more logs include indications of a plurality of events streamed from one or more servers of the network, and
each of the plurality of events indicates an operation performed on an object in the one or more servers of the network.
4. The method of claim 3, wherein,
each of the plurality of events is associated with a timestamp in the one or more logs,
Receiving a request to create an access control policy that allows a role to perform one or more functions in a network includes receiving an indication of a time period associated with performance of the one or more functions in the network, and
determining, based at least on the one or more logs generated as a result of executing the one or more functions in the network, the one or more particular operations performed on the one or more particular recognition objects in the network includes determining one or more events of the plurality of events based at least in part on one or more timestamps associated with the one or more events, the one or more timestamps indicating that the one or more events were generated as a result of executing the one or more functions in the network within the time period.
5. The method of claim 1, wherein each of the one or more particular operations performed on the one or more particular recognition objects includes one or more of create, read, update, and delete (CRUD) operations.
6. The method of claim 5, wherein generating the access control policy that allows the role to perform the one or more particular operations on the one or more particular identified objects in the network comprises:
The access control policy is generated to include an indication of each of the one or more particular recognition objects, and for each of the one or more particular recognition objects, the access control policy includes an indication of one or more of the CRUD operations that the character is permitted to perform for the object.
7. The method of any of claims 1-6, wherein receiving a request to create an access control policy that allows a persona to perform one or more functions in a network comprises:
an indication of one or more user intents is received, the indication representing the one or more functions that the character is permitted to perform in the network.
8. An apparatus, comprising:
a memory configured to store one or more access control policies; and
processing circuitry operably coupled to the memory and configured to:
receiving a request to create an access control policy that allows a role to perform one or more functions in a network;
responsive to receiving the request, determining one or more particular operations to perform on one or more particular recognition objects in the network based at least in part on tracking execution of the one or more functions in the network, the one or more particular operations being performed on the one or more particular recognition objects to perform the one or more functions; and
The access control policy is created that allows the role to perform the one or more particular operations on the one or more particular identified objects in the network.
9. The device of claim 8, wherein to determine the one or more particular operations to perform on the one or more particular recognition objects in the network to perform the one or more functions based at least in part on tracking performance of the one or more functions in the network, the processing circuit is further configured to:
the one or more specific operations performed on the one or more specific recognition objects in the network are determined based at least on one or more logs generated as a result of performing the one or more functions in the network.
10. The apparatus of claim 9, wherein,
the one or more logs include indications of a plurality of events streamed from one or more servers of the network, and
each of the plurality of events indicates an operation performed on an object in the one or more servers of the network.
11. The apparatus of claim 10, wherein,
Each of the plurality of events is associated with a timestamp in the one or more logs,
in order to receive the request to create the access control policy that allows the role to perform the one or more functions in the network, the processing circuit is further configured to receive an indication of a time period associated with the performance of the one or more functions in the network, and
to determine the one or more particular operations to perform on the one or more particular recognition objects in the network based at least on the one or more logs generated as a result of execution of the one or more functions in the network, the processing circuitry is further configured to determine one or more events of the plurality of events based at least in part on one or more timestamps associated with the one or more events, the one or more timestamps indicating that the one or more events were generated as a result of execution of the one or more functions in the network within the time period.
12. The device of claim 8, wherein each of the one or more particular operations performed on the one or more particular recognition objects includes one or more of a create, read, update, and delete (CRUD) operation.
13. The device of claim 12, wherein to generate the access control policy that allows the role to perform the one or more particular operations on the one or more particular identified objects in the network, the processing circuit is further configured to:
the access control policy is generated to include an indication of each of the one or more particular recognition objects, and for each of the one or more particular recognition objects, the access control policy includes an indication of one or more of the CRUD operations that the character is permitted to perform for the object.
14. The device of any of claims 8-13, wherein to receive the request to create the access control policy that allows the persona to perform the one or more functions in the network, the processing circuitry is further configured to:
an indication of one or more user intents is received, the indication representing the one or more functions that the character is permitted to perform in the network.
15. A non-transitory computer-readable medium comprising instructions that, when executed, cause a processing circuit running a controller for a network to:
Receiving a request to create an access control policy that allows a role to perform one or more functions in the network;
responsive to receiving the request, determining to perform one or more particular operations on one or more particular recognition objects in the network based at least in part on tracking execution of the one or more functions in the network, the one or more particular operations being performed on the one or more particular recognition objects to perform the one or more functions; and
the access control policy is created that allows the role to perform the one or more particular operations on the one or more particular identified objects in the network.
16. The computer-readable medium of claim 15, wherein the instructions, when executed, that cause the processing circuitry to determine the one or more particular operations to perform the one or more functions performed on the one or more particular recognition objects in the network based at least in part on tracking the execution of the one or more functions in the network further cause the processing circuitry to:
the one or more specific operations performed on the one or more specific recognition objects in the network are determined based at least on one or more logs generated as a result of performing the one or more functions in the network.
17. The computer-readable medium of claim 16, wherein,
the one or more logs include indications of a plurality of events streamed from one or more servers of the network, and
each of the plurality of events indicates an operation performed on an object in the one or more servers of the network.
18. The computer-readable medium of claim 17,
wherein each of the plurality of events is associated with a timestamp in the one or more logs,
wherein the instructions, when executed, that cause the processing circuitry to receive the request to create the access control policy that allows the role to perform the one or more functions in the network further cause the processing circuitry to receive an indication of a time period associated with the performance of the one or more functions in the network, and
wherein the instructions, when executed, cause the processing circuitry to determine the one or more particular operations to perform on the one or more particular recognition objects in the network based at least on the one or more logs generated as a result of performing the one or more functions in the network, further cause the processing circuitry to determine one or more events of the plurality of events based at least in part on one or more timestamps associated with the one or more events, the one or more timestamps indicating that the one or more events were generated as a result of performing the one or more functions in the network within the time period.
19. The computer-readable medium of claim 15, wherein each of the one or more particular operations performed on the one or more particular recognition objects includes one or more of create, read, update, and delete (CRUD) operations.
20. The computer-readable medium of any of claims 15-19, wherein the instructions that, when executed, cause the processing circuit to generate the access control policy that allows the role to perform the one or more particular operations on the one or more particular identified objects in the network further cause the processing circuit to:
generating the access control policy to include an indication of each of the one or more particular recognition objects, and for each of the one or more particular recognition objects, the access control policy including an indication of one or more of the CRUD operations that the character is permitted to perform for the object.
CN202310640113.7A 2020-03-31 2020-06-11 Role-based access control policy auto-generation Pending CN116668122A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US16/836,410 2020-03-31
US16/836,410 US11595393B2 (en) 2020-03-31 2020-03-31 Role-based access control policy auto generation
CN202010528849.1A CN113472729B (en) 2020-03-31 2020-06-11 Role-based access control policy auto-generation

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN202010528849.1A Division CN113472729B (en) 2020-03-31 2020-06-11 Role-based access control policy auto-generation

Publications (1)

Publication Number Publication Date
CN116668122A true CN116668122A (en) 2023-08-29

Family

ID=71096578

Family Applications (2)

Application Number Title Priority Date Filing Date
CN202010528849.1A Active CN113472729B (en) 2020-03-31 2020-06-11 Role-based access control policy auto-generation
CN202310640113.7A Pending CN116668122A (en) 2020-03-31 2020-06-11 Role-based access control policy auto-generation

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN202010528849.1A Active CN113472729B (en) 2020-03-31 2020-06-11 Role-based access control policy auto-generation

Country Status (3)

Country Link
US (2) US11595393B2 (en)
EP (1) EP3889772A1 (en)
CN (2) CN113472729B (en)

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11463448B2 (en) * 2020-03-13 2022-10-04 Sap Se Access control for object instances
US11470071B2 (en) * 2020-04-20 2022-10-11 Vmware, Inc. Authentication for logical overlay network traffic
US11736525B1 (en) * 2020-06-17 2023-08-22 Amazon Technologies, Inc. Generating access control policies using static analysis
US11743180B2 (en) * 2020-11-20 2023-08-29 At&T Intellectual Property I, L.P. System and method for routing traffic onto an MPLS network
US11792718B2 (en) * 2021-02-22 2023-10-17 Hewlett Packard Enterprise Development Lp Authentication chaining in micro branch deployment
CN114448659B (en) * 2021-12-16 2022-10-11 河南大学 Yellow river dam bank monitoring Internet of things access control optimization method based on attribute exploration

Family Cites Families (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
ES2215804T3 (en) 2001-04-03 2004-10-16 Beta Systems Software Ag AUTOMATIC ROLE CREATION FOR A ROLE-BASED ACCESS CONTROL SYSTEM.
US8161173B1 (en) 2005-03-30 2012-04-17 Oracle America, Inc. Role passing and persistence mechanism for a container
US9253663B2 (en) 2009-01-28 2016-02-02 Headwater Partners I Llc Controlling mobile device communications on a roaming network based on device state
US8984583B2 (en) * 2012-05-30 2015-03-17 Accenture Global Services Limited Healthcare privacy breach prevention through integrated audit and access control
US9064216B2 (en) 2012-06-06 2015-06-23 Juniper Networks, Inc. Identifying likely faulty components in a distributed system
US9154507B2 (en) * 2012-10-15 2015-10-06 International Business Machines Corporation Automated role and entitlements mining using network observations
US9432375B2 (en) 2013-10-10 2016-08-30 International Business Machines Corporation Trust/value/risk-based access control policy
US10122757B1 (en) 2014-12-17 2018-11-06 Amazon Technologies, Inc. Self-learning access control policies
US9680875B2 (en) 2015-01-20 2017-06-13 Cisco Technology, Inc. Security policy unification across different security products
RU2730534C2 (en) 2015-10-13 2020-08-24 Шнейдер Электрик Эндюстри Сас Method for arranging workloads in a program-defined automated system
US10430594B2 (en) 2015-11-25 2019-10-01 Carrier Corporation Extraction of policies from static permissions and access events for physical access control
WO2017177076A1 (en) 2016-04-08 2017-10-12 Cloud Knox, Inc. Activity based access control in heterogeneous environments
US10291497B2 (en) 2017-03-31 2019-05-14 Juniper Networks, Inc. Session-based traffic statistics logging for virtual routers
US10419446B2 (en) 2017-07-10 2019-09-17 Cisco Technology, Inc. End-to-end policy management for a chain of administrative domains
US10999163B2 (en) 2018-08-14 2021-05-04 Juniper Networks, Inc. Multi-cloud virtual computing environment provisioning using a high-level topology description
US10728145B2 (en) 2018-08-30 2020-07-28 Juniper Networks, Inc. Multiple virtual network interface support for virtual execution elements
CN110519224B (en) 2019-07-15 2022-02-22 苏州浪潮智能科技有限公司 Method and equipment for intelligently generating network protection strategy in virtualization environment

Also Published As

Publication number Publication date
CN113472729B (en) 2023-06-16
US20210306338A1 (en) 2021-09-30
EP3889772A1 (en) 2021-10-06
CN113472729A (en) 2021-10-01
US11595393B2 (en) 2023-02-28
US20230188526A1 (en) 2023-06-15

Similar Documents

Publication Publication Date Title
CN113472729B (en) Role-based access control policy auto-generation
CN109818918B (en) Policy driven workload initiation based on software defined network encryption policy
CN110971584B (en) Intent-based policies generated for virtual networks
CN110830357B (en) Multi-cloud virtual computing environment provisioning using advanced topology description
US20210344692A1 (en) Providing a virtual security appliance architecture to a virtual cloud infrastructure
CN110120934B (en) Method, software defined network controller and medium for applying firewall policy
CN108696402B (en) Session-based traffic statistics logging for virtual routers
CN111355604B (en) System and method for user customization and automation operations on software defined networks
JP5976942B2 (en) System and method for providing policy-based data center network automation
AU2012340387B2 (en) Network control system for configuring middleboxes
EP4141666A1 (en) Dual user space-kernel space datapaths for packet processing operations
AU2017204765B2 (en) Network control system for configuring middleboxes
US12021740B2 (en) Policy enforcement for bare metal servers by top of rack switches

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination